What would you want to happen if 2 processes get read-only locks and then try to "upgrade" them at the same time to read-write? What reasonable semantics can you suggest for resolving this?

If they both request blocking upgrades then it is called "deadlock". It is something you have to deal with (at least to the point of planning how to avoid) in nearly any situation dealing with locking. Most of the systems I work with these days have a very simple response to deadlock, for example, "man fcntl" says "This implementation detects that sleeping until a locked region is unlocked would cause a deadlock and fails with an EDEADLK error." And it is easy to create deadlock with flock so avoiding a case of deadlock is not a reasonable explanation of this particular design choice. Especially since non-blocking upgrades would be very useful and can't be a source of deadlock.

Note that this case wouldn't have been one involving deadlock. The reasonable semantics I wanted were exactly those provided by fcntl-based file locks. I can create the deadlock you describe with my test program by having two instance try to start at nearly the same time. And fcntl handles this very nicely and the second one to try to do a blocking upgrade to an exclusive lock simple fails with "Resource deadlock avoided" (but my original test code doesn't test for this failure).

Having an operation involving locks be implemented non-atomically is, frankly, just stupid to me. But you only have to try to make practical use of any number of parts of Sys V IPC to see that stupid designs do become standard. For example, "man fcntl" says:

This interface follows the completely stupid semantics of System V and IEEE Std1003.1-1988 (``POSIX'') that require that all locks associated with a file for a given process are removed when any file descriptor for that file is closed by that process.

Which is a pretty stupid idea in a lot of situations. I can see how you can look at it from a different angle and think of it as a feature but when you look at both sides, the trade-off is pretty clear and this "feature" would certainly be changed if it weren't for backward compatibility augmented by standardization.

Getting a shared lock is a promise that you won't be doing any modifications based on your read.

I'm not sure where you got that idea. To me, a shared lock means that I don't want anyone else to change the data out from under me. It is quite reasonable to then decide that I need to make a change to the data and request access to change it. If I can't request that without first releasing the shared lock (in a non-atomic manner), then I'm forced to hold the exclusive lock while I reread the data and reperform the computations to decide whether I still want to make the same change. This can be very wasteful.